Session 2 on 17 February 2022

IT Management and IT Governance

GESTS483 – Session 2 - 17 February 2022
IT Management and IT Governance activities

Professor, Solvay Brussels School of Economics and Management

Georges Ataya Academic Director, IT Management Education
CISA, CGEIT, CISA, CISSP, MSCS, LSG Managing Partner, Ataya & Partners
Vision and Enterprise
Strategy Program
Management

Architecture

3
CREATION OF ENTERPRISE VALUE
 Participants need to get access to the COBIT 2019 books.
Step 1. link to the ISACA.ORG pages
Step 2. Register as a visitor (free)
Step 3. download those books at the two following links
1. COBIT 2019 Framework: Introduction & Methodology | Digital | English
https://store.isaca.org/s/store#/store/browse/detail/a2S4w000004Ko9cEAC

2. COBIT 2019 Framework: Governance & Management Objectives | Digital | English

https://store.isaca.org/s/store#/store/browse/detail/a2S4w000004Ko9ZEAS

Please contact me if you have difficulties to find or to download those books.

Notice: This material is based on COBIT 2019 publications from ISACA.ORG and supports COBIT 2019
Foundation Certification.
Content is copyrighted to ISACA.
Illustrations and presentations are copyrighted to Georges Ataya (A&P)
The Context of Enterprise Governance of Information
and Technology

Enterprise Create a new product or service that increases enterprise

value and client satisfaction
Governance of IT

Use technology to implement new capabilities resulting in the

Business/IT creation, the delivery and the invoicing of new products or
Alignment services

Value Develop the necessary hardware, software services, information

processing and customer interaction in a sustainable and
Creation economical manner.

Source: De Haes, Steven; W. Van Grembergen; Enterprise Governance of Information Technology: Achieving Alignment and Value,
Featuring COBIT 5, 2nd ed., Springer International Publishing, Switzerland, 2015, https://www.springer.com/us/book/9783319145464
The Context of Enterprise Governance of Information and Technology

Enterprise Governance

Enterprise Governance of IT

Business/IT Alignment (Integration)

Value Creation

Source: De Haes, Steven; W. Van Grembergen; Enterprise Governance of Information Technology: Achieving Alignment and Value,
Featuring COBIT 5, 2nd ed., Springer International Publishing, Switzerland, 2015, https://www.springer.com/us/book/9783319145464
 The Context of Enterprise Governance of Information and Technology

Enterprise Governance

Decision maker Enterprise Governance of IT

Architects
Project managers Decision maker
Delivery personnel Architects Business/IT Alignment (Integration)
Finance and admin Project managers
Delivery personnel
Finance and admin
Value Creation

Source: De Haes, Steven; W. Van Grembergen; Enterprise Governance of Information Technology: Achieving Alignment and Value,
Featuring COBIT 5, 2nd ed., Springer International Publishing, Switzerland, 2015, https://www.springer.com/us/book/9783319145464
The Context of Enterprise Governance of Information and Technology

Enterprise Governance

Enterprise Governance of Information Security

Business/Infosec Alignment

Value Creation

Source: De Haes, Steven; W. Van Grembergen; Enterprise Governance of Information Technology: Achieving Alignment and Value,
Featuring COBIT 5, 2nd ed., Springer International Publishing, Switzerland, 2015, https://www.springer.com/us/book/9783319145464
What is digital transformation?
Digital transformation happens when
companies adopt digital technologies to
create innovation, improve business
processes, and offer better value to their
customers.
True digital transformation takes place across
two distinct dimensions:
1. Integration of digital
technology. Technology creates
fundamental changes in business models.
2. A cultural shift. Businesses must learn to
push boundaries, experiment, and accept
the associated failures. This potentially
involves abandoning well-established
processes for new ones — ones that are
often still being defined.
 United Airlines meets
customers wherever they are

Agent on Demand program. It's

designed to meet customers
in-app and provide support,
wherever and whenever they
need it

DBS Bank turns it around

from outsourcing 85 percent,
to insourcing 85 percent of Microsoft changes
their technology. his meant it course
could launch the world’s Microsoft had been
largest banking API platform. struggling in the
On the back of that structure, mobile operating
FinTechs and software system market,.
developers were then able to Instead, it turned its
improve its ability to innovate focus to cloud-
and increase profits. based solutions
 Value Creation

Benefits Risk Resource

realisation optimization optimization
Benefits realization

Creating value for the

enterprise through I&T

Maintaining and increasing

value derived from existing I&T
investments

Eliminating IT initiatives and

assets that are not creating
sufficient value
 one of the greatest digital transformation
examples in retail: to do this all via voice
command!
 Now all customers have a unique ID, an
ID that they can connect to a powerful
central CRM.
Know the expectations of customers at each
point of contact.

Putting the customer experience to the

forefront of their strategies, automaker
Porsche is doing everything to understand
their customers’ behaviour.
Risk optimization

While value delivery focuses on the

creation of value, risk management
focuses on the preservation of value

Address the business risk associated

with the use, ownership, operation,
involvement, influence and
adoption of I&T within an
enterprise

I&T-related business risk consists of

I&T-related events that could
potentially impact the business
 Together with the data analysis startup Uptake Caterpillar has
developed a tool that collects all the performance data of its
machines and is able to predict the most appropriate times for
preventive maintenance of equipment before any problems
occur, drastically decreasing the time of “machine stops”

https://www.youtube.com/watch?v=4Y31MD36xF4
Resource optimization
Appropriate capabilities are in
place to execute the strategic
plan and sufficient, appropriate
and effective resources are
provided

Beyond IT Assets, it also focuses

on people by providing training,
promoting retention and
ensuring competence of key IT
personnel

An important resource is data

and information
GE is already using the latest 3D printing
technologies to produce no fewer than 19
turbine parts through this process.

Among the many advantages of this, one of

the most interesting digital transformation
examples in the industry, is the reduction of
costs, such as transportation and storage, for
example.
Governance

Ensures that:
• Stakeholder needs, conditions and options
are evaluated to determine balanced,
agreed-on enterprise objectives.
• Direction is set through prioritization and
decision making.
• Performance and compliance are
monitored against agreed-on direction and
objectives.
 Management

Plans, builds, runs and monitors activities, in

alignment with the direction set by the
governance body, to achieve the enterprise
objectives.
Significant I&T-related incidents, such as
data loss, security breaches, project
failure, application errors, linked to IT

Significant incidents (including data loss,

security breaches, project failure and
application errors linked to IT) are often
the tip of the iceberg and their impact
can be exacerbated if they receive public
and/or media attention. Further
investigation often leads to the
identification of deeper, structural
misalignments—or even the complete
lack of an IT risk-aware culture within the
enterprise. Stronger EGIT practices are
typically required to understand and
manage IT-related risk comprehensively
High level of end-user computing,
creating (among other issues) a lack of
oversight and quality control over the
applications that are being developed
and put in operation

A high level of end-user computing

may strain communication between IT
and the business.
It could entail loose controls around
installation of business applications. It
may result from suboptimal portfolio
and project formulation, and/or
inadequate proposal and approval
mechanisms. EGIT can help establish a
common view on the role and value of
IT to optimize security and
functionality of end-user devices
Reluctance of board members, executives
or senior management to engage with IT,
or lack of committed business sponsors
for IT

These pain points often indicate a lack of

business understanding and insight into IT,
insufficient IT visibility at appropriate
levels, or ineffective management
structures. The pain points may also
indicate issues with board mandates,
which are often caused by poor
communication between the business and
IT, and/or misunderstanding of the
business and IT by the business sponsors
for I&T.
Merger, acquisition or divestiture

These transactions may result in

significant strategic and operational
consequences relating to I&T. Due
diligence reviews must gain an
understanding of IT issues in the
environment(s). Integration or
restructuring requirements may
prescribe EGIT mechanisms appropriate
for the new environment.
Shifts in the market, economy or competitive position

An economic downturn could lead enterprises to revise EGIT

mechanisms to facilitate large-scale cost optimization or
performance improvement
New regulatory or compliance
requirements

Complying with laws and regulations

often has EGIT ramifications. For
example, expanded corporate
governance reporting requirements
and financial regulations often trigger
a need for better EGIT as well as a
focus on information privacy, given the
pervasiveness of IT.
GOALS CASCADE
Enterprise Goals
Goals Cascade
Transformed stakeholder needs into an enterprise’s actionable strategy

Stakeholder Drivers and Needs

Enterprise Goals

Alignment Goals

Governance and Management Objectives

Goals Cascade
Transformed stakeholder needs into an enterprise’s actionable strategy

Stakeholder Drivers and Needs

Enterprise Goals

Alignment Goals

Governance and Management Objectives

Enterprise Goals and Metrics
GOALS CASCADE
Alignment Goals
Goals Cascade
Transformed stakeholder needs into an enterprise’s actionable strategy

Stakeholder Drivers and Needs

Enterprise Goals

Alignment Goals

Governance and Management Objectives

Alignment Goals and Metrics
Stakeholder Drivers and Needs

Enterprise Goals
Risk Optimisation

Alignment Goals Information Security

Governance and Management Objectives Management Objectives

• Conduct Risk assessment
• Mitigate identified risks
• Transform business processes
• Respond to and manage incidents
• Etc..
 Alignment of IT goals with the organisation’s strategic goals
Benefits Risk Resources
Realization Optimization Optimization

Digital Transformation,
Security,
Regulatory requirements,
Stakeholder Drivers and Needs System reliability,
Cost reduction, etc.

Cascade to

Managed business risks,

Enterprise Goals Compliance with external laws,
Product & business innovation,
Optimization of business cost, etc.
Cascade to

IT Alignment Goals
I&T compliance
Managed I&T-related risks
Delivery of I&T services
Cascade to
Expertise for innovation, etc.
IT Governance and Management Objectives

Govern, Plan, Build, Run, Monitor

2/16/2022 ©2021 Ataya & Partners. All rights reserved. 38

 Example of alignment #1

Benefits
Realization

Stakeholder Drivers and Needs

Digital Transformation

Cascade to

Ensure ability to:

Enterprise Goals
- Innovate
- Change work methods
- Make the change
Cascade to
- Deploy
- Manage the technical and infrastructure
IT Alignment Goals
support

Cascade to
Managed Innovation
IT Governance and Management Objectives Managed Projects/Programs
Managed IT Change

2/16/2022 ©2021 Ataya & Partners. All rights reserved. 39

 Example of alignment #2

Risk
Optimization

Stakeholder Drivers and Needs

Security

Cascade to

Enterprise Goals
Ensure ability to:
- Carry out risk assessments
- Strengthen weak areas
Cascade to
- Modify risky treatments and practices
- Respond to, and manage incidents
IT Alignment Goals

Cascade to
Managed Risk
IT Governance and Management Objectives Managed Security
Managed Security Services

2/16/2022 ©2021 Ataya & Partners. All rights reserved. 40

 Example of alignment #3

Resources
Optimization

Stakeholder Drivers and Needs

Cost reduction

Cascade to

Enterprise Goals Ensure ability to:

- Manage investments
- Manage external suppliers
Cascade to - Manage assets
- Deploy a cost strategy while
IT Alignment Goals maintaining services and quality

Cascade to
Ensured Resource Optimization
IT Governance and Management Objectives Managed Portfolio
Managed Budget & Costs

2/16/2022 ©2021 Ataya & Partners. All rights reserved. 41

COBIT Core Model
Governance and Management Objectives and Purpose
COBIT
Governance and Management Framework

• Defines the components to build and sustain a governance system:

processes, organizational structures, policies and procedures,
information flows, culture and behaviours, skills, and infrastructure.
• Defines the design factors that should be considered by the
enterprise to build a best-fit governance system.
• Addresses governance issues by grouping relevant governance
components into governance and management objectives that can
be managed to the required capability levels.
What COBIT is not!
Several misconceptions about COBIT should be dispelled:

• It is not a full description of the whole IT environment of an enterprise.

• It is not a framework to organize business processes.
• It is not an (IT-)technical framework to manage all technology.
• It does not make or prescribe any IT-related decisions. It will not decide
what the best IT strategy is, what the best architecture is, or how much IT
can or should cost. Rather, COBIT defines all the components that
describe which decisions should be taken, and how and by whom they
should be taken.
STAKEHOLDERS FOR EGIT
(THE ENTERPRISE GOVERNANCE OF IT)
EGIT stakeholders
and the benefits they can gain from implementing EGIT
Provides insights on how Provides guidance on Helps to understand how Provides guidance on Helps to manage
to get value from the use how to organize and to obtain the I&T how best to build and dependency on external
of I&T and explains monitor performance of solutions enterprises structure the IT service providers, get
relevant board I&T across the enterprise require and how best to department, manage assurance over IT, and
responsibilities exploit new technology performance of IT, run an ensure the existence of
for new strategic efficient and effective IT an effective and efficient
opportunities operation, control IT system of internal
costs, align IT strategy to controls
business priorities, etc.
Executive Business Assurance
Boards IT Managers
Management Managers Providers

Helps to ensure the
identification and
management of all IT-
related risk
Helps to ensure the Helps to ensure that a Helps to ensure that an IT Helps to ensure
enterprise is compliant business partner’s vendor’s operations are compliance activities are
with applicable rules and operations are secure, secure, reliable and conducted in manners
regulations and has the reliable and compliant compliant with applicable that delivers value to the
right governance system with applicable rules and rules and regulations to organisation
in place to manage and regulations ensure the identification
sustain compliance and management of all
IT-related risk

Risk Business Compliance

Regulators IT Vendors
Management Partners Managers
 EDM01 •Ensured governance framework setting and maintenance

Governance objectives
are grouped in the EDM02 •Ensured benefits delivery

Evaluate, Direct and EDM03 •Ensured risk optimization

Monitor (EDM) domain. EDM04 •Ensured resource optimization

EDM05 •Ensured stakeholder engagement

In this domain, the

governing body evaluates
strategic options, directs
senior management on
the chosen strategic
options and
monitors the
achievement of the
strategy
COBIT Core Model: Governance and
Management Objectives and Purpose
 APO01 • Managed I&T management framework

APO02 • Managed strategy

APO03 • Managed enterprise architecture

APO04 • Managed innovation

Align, Plan and Organize APO05 • Managed portfolio

(APO) APO06 • Managed budget and costs

APO07 • Managed human resources

APO08 • Managed relationships

Addresses the overall APO09 • Managed service agreements

organization, strategy APO10 • Managed vendors

and supporting APO11 • Managed quality

activities for I&T APO12 • Managed risk

APO13 • Managed security

APO14 • Managed data

COBIT Core Model: Governance and
Management Objectives and Purpose
COBIT Core Model: Governance and
Management Objectives and Purpose
COBIT Core Model: Governance and
Management Objectives and Purpose
 BAI01 • Managed programs

BAI02 • Managed requirements definition

BAI03
Build, Acquire and • Managed solutions identification and build

Implement (BAI) BAI04 • Managed availability and capacity

BAI05 • Managed organizational change

Treats the definition, BAI06 • Managed IT changes and transitioning

acquisition and BAI07 • Managed IT change acceptance

implementation of BAI08 • Managed knowledge

I&T solutions and BAI09 • Managed assets

their integration in BAI10 • Managed configuration

business processes BAI11 • Managed projects

COBIT Core Model: Governance and
Management Objectives and Purpose
COBIT Core Model: Governance and
Management Objectives and Purpose
 DSS01 • Managed operations

DSS02 • Managed service requests and incidents

Deliver, Service and DSS03 • Managed problems

Support (DSS) DSS04 • Managed continuity

DSS05 • Managed security services controls

Addresses the DSS06 • Managed business process

operational delivery
and support of I&T
services, including
security.
COBIT Core Model: Governance and
Management Objectives and Purpose
 MEA01 • Managed performance and conformance
monitoring

Monitor, Evaluate and MEA02 • Managed system of internal control

Assess (MEA) MEA03 • Managed compliance with external

requirements

MEA04 • Managed assurance

Addresses performance
monitoring and
conformance of I&T with
internal
performance targets,
internal control
objectives and external
requirements.
COBIT Core Model: Governance and
Management Objectives and Purpose
End of session 2

Copyright © 2019 Ataya & Partners. All rights reserved.

What value creation in those Pain Points?
Frustration between different IT entities across the organization because of a perception of low
contribution to business value—More and more enterprises have decentralized or decoupled IT
1 entities; each provides specific (and often discontinuous) services to its stakeholders. Dependencies
may persist among the groups; when dependencies are not carefully managed, they may compromise
IT effectiveness and efficiency.
Frustration between business departments (i.e., the IT customer) and the IT department because of
failed initiatives or a perception of low contribution to business value—While many enterprises
continue to increase their investments in I&T, the value of these investments and overall performance
2 of IT are often questioned and/or not fully understood. This frustration can indicate an EGIT issue, and
suggests improving communication between IT and the business, and/or establishing a common view
on the role and value of IT. It can also be a consequence of suboptimal portfolio and project
formulation, proposal and approval mechanisms.
Significant I&T-related incidents, such as data loss, security breaches, project failure, application
errors, linked to IT—Significant incidents (including data loss, security breaches, project failure and
application errors linked to IT) are often the tip of the iceberg and their impact can be exacerbated if
3 they receive public and/or media attention. Further investigation often leads to the identification of
deeper, structural misalignments—or even the complete lack of an IT risk-aware culture within the
enterprise. Stronger EGIT practices are typically required to understand and manage IT-related risk
comprehensively
Copyright © 2019 Ataya & Partners. All rights reserved.
What value creation in those Pain Points?
Service delivery problems by the IT outsourcer(s) —Issues with service delivery from external service
providers (e.g., consistent failure to meet agreed service levels) may be due to governance issues. For
4 example, defined third-party service management processes may be lacking or inadequately tailored
(including control and monitoring), and/or lack proper responsibilities and accountabilities to fulfill
business and IT-service requirements.
Failure to meet IT-related regulatory or contractual requirements—In many enterprises, ineffective
or inefficient governance mechanisms prevent complete integration of relevant laws, regulations and
contractual terms into organizational systems. Alternatively, laws, regulations and contractual terms
5 may be integrated, but the enterprise still lacks an approach for managing them. (Regulations and
compliance requirements continue to proliferate globally, and often affect IT-enabled activities
directly.)

Regular audit findings or other assessment reports about poor IT performance or reported IT quality
or service problems —Poor assessments may indicate that service levels are not in place or not
functioning well, or that the business is not adequately involved in IT decision making.
6

Copyright © 2019 Ataya & Partners. All rights reserved.

What value creation in those Pain Points?
Substantial hidden and rogue IT spending—Excessive spending outside of normal IT investment
decision mechanisms and approved budgets often indicates a lack of sufficiently transparent and
7 comprehensive control over IT expenditures and investments. IT spending can be hidden or
misclassified in business-unit budgets, creating an overall biased view of IT costs

Duplications or overlaps between various initiatives, or other forms of wasted resources —

Duplicative projects and/or redundant deployment of resources may result when I&T initiatives are
not fully represented in a single, comprehensive view of the portfolio. Process and decision-structure
8 capabilities around portfolio and performance management may not be in place.

Insufficient IT resources, staff with inadequate skills and staff burnout/dissatisfaction—These are
significant IT human resource management issues that require effective oversight and good
governance to address people management and skills development effectively. They may also indicate
9 underlying weaknesses in IT-demand management and internal service-delivery practices (among
other latent issues).

Copyright © 2019 Ataya & Partners. All rights reserved.

What value creation in those Pain Points?
IT-enabled changes or projects frequently failing to meet business needs and delivered late or over
budget— These pain points could relate to problems with business-IT alignment, poor definition of
10 business requirements, lack of a benefit-realization process, suboptimal implementation or issues in
project/program management processes.

Multiple and complex IT assurance efforts—This scenario could indicate poor coordination between
the business and IT regarding the need for, and execution of, IT-related assurance reviews. A low level
of business trust in IT may prompt the business to initiate its own reviews. Alternatively, it could
11 suggest a lack of business accountability for, or involvement in, IT-assurance reviews, if the business is
simply not aware when reviews take place.

Reluctance of board members, executives or senior management to engage with IT, or lack of
committed business sponsors for IT—These pain points often indicate a lack of business
understanding and insight into IT, insufficient IT visibility at appropriate levels, or ineffective
12 management structures. The pain points may also indicate issues with board mandates, which are
often caused by poor communication between the business and IT, and/or misunderstanding of the
business and IT by the business sponsors for I&T.

Copyright © 2019 Ataya & Partners. All rights reserved.

What value creation in those Pain Points?
Complex IT operating model and/or unclear decision mechanisms for IT-related decisions—
Decentralized or federated IT organizations often have different structures, practices and policies. The
resulting complexity requires a strong focus on EGIT to ensure optimal IT decision making, and
13 effective and efficient operations. This pain point often becomes more significant with globalization:
each territory or region may have specific (and potentially unique) internal and external
environmental factors to be addressed.
Excessively high cost of IT—IT is often perceived as a cost to the organization—a cost that should be
kept as low as possible. This issue typically occurs when IT budgets are spent primarily on projects that
bring little value to the business, keeping the lights on, instead of bringing new opportunities and
14 innovation. Lack of a holistic, portfolio view of all I&T initiatives can contribute to excess cost and may
indicate that process and decision-structure capabilities around portfolio and performance
management are not in place.

Obstructed or failed implementation of new initiatives or innovations caused by the current IT

architecture and systems —In many organizations, legacy IT architecture does not allow much
flexibility in the implementation of new, innovative solutions. Digitization often requires fast action
15 and agile responses to changing circumstances. It requires a new, more flexible approach to IT
development and operations, and therefore directly implicates the governance system.

Copyright © 2019 Ataya & Partners. All rights reserved.

What value creation in those Pain Points?
Gap between business and technical knowledge—Business users and IT specialists often speak
different languages. When business users lack sufficient understanding of I&T, or fail to grasp how I&T
can improve the business—or conversely, when IT specialists misconstrue challenges and
16 opportunities in the business context— the enterprise cannot grow and innovate as it should to be
successful. This situation requires good governance to ensure that people management and skills
development are addressed effectively.
Regular issues with data quality and integration of data across various sources—Enterprises
increasingly realize the potential value that may be hidden in their information. All issues of data
quality or data integration can have a substantial impact on the success of the enterprise. EGIT is key
17 to establishing the right processes, roles, responsibilities, culture, etc., to deliver business value from
information.

High level of end-user computing, creating (among other issues) a lack of oversight and quality
control over the applications that are being developed and put in operation—A high level of end-
user computing may strain communication between IT and the business, and could entail loose
18 controls around installation of business applications. It may result from suboptimal portfolio and
project formulation, and/or inadequate proposal and approval mechanisms. EGIT can help establish a
common view on the role and value of IT to optimize security and functionality of end-user devices.
Copyright © 2019 Ataya & Partners. All rights reserved.
What value creation in those Pain Points?
Business departments implementing their own information solutions with little or no involvement
of the enterprise IT department —This pain point may relate to the end-user computing issue and the
optimal use of data and information; however, it primarily results when the business attempts to
19 implement more robust solutions and services in the normal course of pursuing business advantage.
Lack of communication or trust between business and IT can contribute to unsanctioned, independent
development, or exacerbate its symptoms (in the form of service issues, etc.).
Ignorance of and/or noncompliance with security and privacy regulations—Mitigating new security
and privacy threats should be on the agenda of every enterprise, not only for compliance reasons but
also to preserve the value the enterprise generates. Ignorance and/or noncompliance with regulations
20 can seriously impair the enterprise and should be managed through proper EGIT.

Inability to exploit new technologies or innovate using I&T—A common business complaint casts IT in
a supporting role, whereas the enterprise needs IT to innovate and provide a competitive edge. Such
complaints may point to a lack of true bidirectional alignment between business and IT, which could
21 reflect communication issues or a need to increase business involvement in IT decision making.
Alternatively, the business may involve IT too late in its strategic planning or business initiatives. The
issue often arises most emphatically when economic conditions require rapid enterprise responses,
such as the introduction of new products or services. Copyright © 2019 Ataya & Partners. All rights reserved.